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A significant concern in designing complex systems implementing new technologies is 
that while knowledge about the system is acquired incrementally, substantial financial 
commitments, even make-or-break decisions, must be made upfront, essentially in the 
unknown. One practice that helps in dealing with this dichotomy is the smart embedding of 
contingencies and margins in the design to serve as buffers against surprises. This issue 
presents itself in full force in the aerospace industry, where unprecedented systems are 
formulated and committed to as a matter of routine. As more and more aerospace mission 
concepts are generated by concurrent design laboratories, it is imperative that such 
laboratories apply well thought-out contingency and margin structures to their designs. 

The first part of this publication provides an overview of resource management 
techniques and standards used in the aerospace industry. That is followed by a thought 
provoking treatise on margin policies. The expose presents the actual flight telemetry data 
recorded by the thermal discipline during several recent NASA Goddard Space Flight 
Center missions. The margins actually achieved in flight are compared against pre-flight 
predictions, and the appropriateness and the ramifications of having designed with rigid 
margins to bounding stacked worst case conditions are assessed. 

The second half of the paper examines the particular issues associated with the 
application of contingencies and margins in the concurrent engineering environment. In 
closure, a discipline-by-discipline disclosure of the contingency and margin policies in use at 
the Integrated Design Center at NASA’s Goddard Space Flight Center is made. 


I. Introduction 

S pace flight missions are defined by their engineering resources, primarily by their mass, because at the first 
order resources, especially mass, equal cost in roughly linear fashion. A well-known “urban legend” puts the 
total lifecycle cost of one kilogram of space flight hardware at one million dollars. This mass-cost correlation is 
one of the principal reasons why tight management of the engineering resources of space flight missions is so 
important. A project whose resources are well managed is most likely a project in good shape. Conversely, at times 
even the cause of mission failures can be traced back to resource management problems. 

Besides the mass-cost correlation, the following two reasons also exact smart resource management. 

1. Examining the evolution of hundreds of mission concepts formulated in concurrent engineering labs, a 
common trait stands out: space flight mission design is the art of compounded compounding. A subsystem gets 
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heavier because another subsystem got heavier. This vicious circle of growth epitomizes the perfect algorithm for a 
runaway situation; at times projects are lucky if their mass growth spiral is even convergent at all. With the smart 
use of margins, the vicious circles of growth can be broken, as growth in one subsystem can be absorbed by the 
margin in another subsystem rather than further driving the growth spiral. 

2. While knowledge about a new system implementing novel technologies is only acquired incrementally, 
substantial commitments, both financial and programmatic, are made upfront, essentially in the unknown. An 
efficient approach to dealing with this dichotomy is the embedding of contingencies and margins in the design to 
serve as buffers against surprises. 


II. Resource Management Techniques And Standards In The Aerospace Industry 


Margins are important. The initial allocation and subsequent control of margins throughout the development of a 
space system is arguably the most critical item in determining the success of a mission. Especially for satellite 
systems, the mass margin in intimately tied to other engineering and management goals such as performance, cost, 
schedule, and risk. As the mass of the object to be launched approaches the throw-mass limit of the launch vehicle, 
decisions by the development team skew more aggressively toward mass savings at the expense of some 
combination of performance, cost, schedule, or risk. Not all satellite development programs that are over their mass 
controls are cancelled, but the converse is usually true... that is, cancelled programs are almost always over their 
mass controls. 

Margins are tricky business. If a project takes on overly conservative margins at the beginning of a program, 
they may have let some mission performance go unrealized, or put themselves in an early decision to use expensive 
lightweight materials or risky lightweight technology. But projects that take margins that are too low walk the path 
of many developments where margins erode before launch and even more costly (or risky) late design trades must 
be made. The only method known for finding the right balance is experience. The maturity of the design and the 
“battle scars” of experienced designers and project managers drive the margin metrics. Standards, whether held in a 
development organization or in some published industry standard, are a primary way this experience is passed from 
project to project. 

Of course, margins apply to many metrics in the development of a space system, not just mass. Power, data 
storage, data downlink, processing, pointing error, and thermal metrics are all common satellite technical 
performance measures (TPMs). These TPMs are tracked in regular (usually monthly) progress meetings and can be 
used by subsystem engineers as well as project management and senior management to keep a finger on the pulse of 
the development. It is rare that mass or the other TPMs ever go down and it is common that several may rise 
together in a correlated way as one subsystem’s growth drives others. 

In order to track TPMs over 
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the development schedule, a 
Growth Allowance and 
Depletion Schedule is 
followed. This allows for 
larger growth allowances and 
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program milestones. Fig. II- 1. 
shows such a plan for mass. A 
mass properties control plan 
(MPCP) is established early in 
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Figure II-l. Contingency and Margin Terminology. (Courtesy AIAA S-120- 
2006.) 
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controlling mass. A Mass Control Board (MCB) or other engineering/management board such as a Change Control 
Board (CCB) performs the function of formally setting the allocations. For example, formal mass threats and 
opportunities are kept in a database and reviewed periodically. A mass threat has a defined mass growth and a 
probability of occurrence. If a mass threat is realized, it is formally added to the basic mass estimate and removed 
from the threat list. Mass threats are usually reviewed concurrently with project risks since risk mitigations are often 
design changes that result in mass growth. Of course, there can be mass savings opportunities (threats with a 
negative sign), but those are not realized as often as the threats. 

Formal standards for tracking mass margins have existed since the 1970s. The current industry standard for 
tracking of mass margins on a space system development is A1AA S-120-2006 11 " 1 . This standard. Mass Properties 
Control for Space Systems combined the earlier MIL-HDBK-181 1 (1998) Mass Properties Control for Space 
systems 11 " 2 , MIL-STD-1811 (1992) Mass Properties Control for Space systems 11 " 3 , and M1L-M-38310B (1971) Mass 
Properties Control Requirements for Missile and Space Systems 11 " 4 . A1AA S-120-2006 replaced an ANS1/A1AA 
standard R-020A-1999 Recommended Practices for Mass Properties Control for Satellites Missiles, and Launch 
Vehicles 11 " 5 . A1AA S-120-2006 is used both as a standard for establishing commonality between programs and 
contractors, but also is often called out as a contracting document to enforce standard reporting of mass properties to 
government or commercial customers. 


III. Validation Of Thermal Margin Policies 

This section examines the effects of design and margins rules applied to one subsystem (thermal) in several 
actually flown space flight missions, and how compliance with those rules impacted system-level resources. It 
investigates both explicit margins (specified organizational margin requirements) as well as implicit margins 
(margin hidden in biasing parameters used in stacked worst case analyses). In addition, data is presented that 
compares those design margins against what was seen in flight in seven recent GSFC missions. 

At its most basic level, thermal engineering consists of two activities: sizing radiators to reject the maximum 
power loads to the hottest flight environment while keeping components below their maximum operating 
temperature, then sizing heaters to keep the components above their minimum operating or survival temperatures in 
the coldest environment given the radiator sizes determined above. This process becomes more complex by locating 
the heat loads farther away from the radiator (requiring heat transport components like heat pipes), needing fine 
temperature gradient control components, or the need for insulation. 

The NASA Goddard Space Flight Center GOLD Rules 111 " 1 specify thermal control system margins that each 
mission must demonstrate. All of these margin rules are intended to provide excess heating and cooling capability 
within the thermal control system, so that small failures, last-minute design changes, or on-orbit anomalies will not 
impact the spacecraft performance. Thermal analysis must show that all components have at least 5°C margin on 
both the hot and cold limits under stacked, worst case conditions. This results in slightly larger radiators, often 
resulting in more mass, and more orbit-average heater power in cold cases. Additionally, all heater circuits must be 
sized to a maximum duty cycle of 70%, which provides excess heating capability but increases the current draw by 
40%. Finally, all two-phase heat transport systems require 30% margin on their heat transport capability. These 
thermal margins are published and generally well-understood by the systems engineering teams. 

Less understood are the thermal margins embedded in thermal analysis and design techniques. The thermal 
analysis cases are usually defined using stacked worst cases, typically varying four biasing parameters: 
environmental heat loads, coating degradations, component power dissipations and beta angles. These assumptions 
give the widest possible set of temperature predictions with confidence that the flight cases will always exist within 
that range assuming normal operations. Little consideration is given to the likelihood or frequency of all these 
parameters actually occurring simultaneously during the mission as analyzed in a stacked worst case analysis. Since 
these assumptions all impact the thermal analysis predictions, and the radiator and heater sizes are determined from 
the analysis, they directly impact the system resources used by the thermal control system. 

Furthermore, when reporting predictions, it is common to report the localized spatial nodal temperature extreme 
at the minimum and maximum points in an orbital analysis. At times, these localized spatial and temporal 
temperatures may not necessarily be representative of the bulk temperature of a component for which a limit is 
specified. Lastly, the duration of the mission during which extreme temperatures may be reached should also be 
considered, since most operational limits are specified based on long term performance over a given temperature 
range. Short duration excursions outside of this range would likely have a minimal impact on overall mission 
performance, but it is common for thermal to ensure that 100% of the mission stays within limits. 
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Recent work has assessed the impact of each of biasing parameters on thermal margins. The Global Precipitation 
Measurement (GPM) mission, being designed, integrated and tested at GSFC, was analyzed using a linear 
interpolation technique to predict the temperature profile over the entire mission with anchor points based on 10 beta 
angles, 3 environmental flux, 2 power dissipation, and 2 property configurations for a total of 120 anchor points. 
The overall profile of the GPM mission was then evaluated to determine what percentage of the mission was spent 
with a given quantity of 
margin 111 ' 2 . This mission 
estimation technique was 
validated using flight data 
from the Lunar 

Reconnaissance Orbiter 
mission by comparing 
predictions for LRO 
calculated using this approach 
to actual LRO flight data, and 
fairly good agreement was 
found in most 

circumstances 111 " 3 . The 

estimation technique was then 
applied to GPM using an 
incremental approach for 
each biasing parameter to 
determine its impact on the 
perceived margin compared 
to the stacked worst cases 111 " 4 . 

Table III-l. shows the impact 
of progressively incrementing 
each basing parameter on 
various critical avionics for 
the spacecraft. 

Previous work has also 
looked at the impact of the 
5°C temperature margin on 
the system resources of mass 
and power. Four existing 
radiator designs were used for 
this study: two that had 

already been built and two 
that were in their preliminary 
design stages. The 
temperature margin against 
the hot operational limits 
resulted in radiator mass 
growth of between 0.3 and 0.7 kg per 100W heat load rejected, depending on the radiator views and operating 
temperatures. Note that this is a first-order impact only; it does not include the impact of heavier structure to support 
the heavier radiator. Oversizing the radiator also resulted in a survival heater power increase of 4 to 6W per 100W 
heat load. These impacts then trickle through other subsystems, increasing the overall capability and complexity of 
the flight system. 

The validation of thermal margin policies, both explicit and implicit, lies in comparison of predicted 
temperatures to those seen on orbit. Recent work has looked at this comparison for seven recent GSFC missions 111 " 5 . 
Daily or orbital max temperatures were polled for a total of 209 flight temperature sensors over the entire life of 
these missions, most of which have operated beyond their designed lifetime. These were then compared against the 
test-correlated temperature predictions generated before launch. Fig. Ill- 1 . shows the results of this study. Across the 
board, all of the measured flight temperatures were less extreme than the bounding prediction with two 
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Table III-l. Impact of analysis assumptions on worst-case predictions. The 

impact of multiple stacked worst-case assumptions are shown on the predicted 
temperature of GPM components. These include the need to meet requirements 
all the time, using bounding environmental heat loads, worst-case optical 
property degradations, varying the CBE power and using the worst localized 
nodal temperature. 
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exceptions: one solar array sensor on a 
single mission ran warmer than 
predicted (due to what was later 
determined to be bad thermal modeling 
practices on an uncorrelated model), 
and actuators in general tended to run 
up to 2°C above their stacked worst- 
case predictions 1% of the time. The 
flight data was 2°C less than the 
bounding hot case predictions 95% of 
the time, but the average flight data 
point was 16°C lower. Based on these 
results, it can be concluded that the 
stacked worst-case assumptions 
discussed as implicit thermal margin do 
a good job bounding three standard 
deviations of all possible orbital 
thermal environments, but that this may 
be excess margin for lower-cost more 
risky missions. 


IV. Impacts Of Thermal Margin 
Policies 
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Figure III-l. Flight temperature data compared against 
predicted temperatures, grouped by component type. All 

components run below their worst-case hot predictions throughout the 
mission, with the exception of a single solar array sensor on one 
mission. 


other potential missions. More expensive and highly robust missions consume resources (both money and staffing) 
that could be alternately used to develop other missions. Ultimately, a choice is presented: more missions with 
higher risk or fewer missions with lower risk, i. e. how to best maximize the science return on total dollars invested. 

The above analyses of the margins held as standard practice by the GSFC Thermal Engineering Branch (both 
explicit margin required by the organization and implicit margin held as conservatism in the design parameters), 
suggest that lesser margins could be maintained without adding significant risk. Given that performance limits are 
generally based on long term operation within the specified limits, maintaining all components within limits for 
100% of the mission with 5°C (or greater) margin may be excessive and unnecessary. In fact the typical 
qualification of the design to temperatures 10°C outside of the expected flight temperature extremes itself 
demonstrates that short duration excursions (i.e. on the order of thermal vacuum testing durations) do not 
significantly impact the overall performance of the hardware. 

Determining the impacts of reduced design margins on a mission’s overall cost and schedule is overarching and 
complex, but the impacts are not inconsequential. The potential of savings in resources may be truly far reaching, as 
the overly conservative design culture is not limited to thermal engineering, but in fact it is prevalent in almost all 
disciplines. Significant cost savings could be realized with higher, but manageable, mission risk, by having every 
subsystem perform overarching analyses to characterize their explicit and implicit margins, and determine the 
correct margins to be applied for a given risk posture and mission success scenario, rather than - as is the case now - 
apply every time pre -ordered inflexible and overly conservative margins. 


While many missions flown by 
GSFC have been quite successful, the 
potential costs associated with 
designing highly robust spacecraft and 
instruments that far outlast their design 
life may have come at the expense of 
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V. Application of Contingencies and Margins in Concurrent Engineering 


Concurrent engineering at the conceptual design phase must reflect the best guess of what the flight article will 
look like, and, for all of the reasons stated above, that guess incorporates contingencies and margins. The following 
two Sections describe how the Mission Design Laboratory (MDL) of the Integrated Design Center (IDC) at NASA 
Goddard Space Flight Center V1, applies contingencies and margins to their designs v ". 

A. Governing Principles 


The governing principles in applying contingencies and margins in the concurrent engineering environment are: 
Flexibility, Appropriateness, Rightness, and Clarity. 

Flexibility is essential in all things concurrent engineering. Considering the extraordinary variety of pre-Phase-A 
concepts studied in the concurrent design labs of the IDC, from planetary rovers to satellite dispensers, the use of an 
inflexible set of contingencies and margins with no regard to the unique attributes of each study would be 
counterproductive. To avoid any rigidity that would lead to an inferior designs, due consideration is given to the 
unique circumstances of each particular mission. For that one reason: flexibility, the definitions presented here are 
used only as guidelines in the IDC, not as rules. Compliance is on a “best effort / as practical” basis. The 
contingency and margin guidelines are also flexible in that they are living documents that evolve as the state of the 
art in concurrent design advances, and also to reflect changes in applicable industry standards and regulations. 

Appropriateness requires applying contingencies and margins at a level that is commensurate with the limited 
resolution of rapid design. Defining contingencies and margins for concurrent engineering in minute details is not 
necessary; the resolution must allow easy and rapid application well suited to the quick pace of the work in the labs. 
While compliance with applicable industry guidelines and standards, such as the GSFC "GOLD Rules" 111 " 1 , the 
Space Mission Analysis and Design handbook 3 " 3 , or the GSFC Environmental Verification Standard (GEVS) v " 4 is 
to be maintained, such compliance can be accomplished at higher levels of assembly, for instance by applying 
contingencies and margins at the subsystem or system levels, as opposed to the line item or component levels. 

Rightness requires that the size of contingencies and margins reflect the correct flight-like configuration and not 
be disproportionate, under or oversized. As contingencies and margins burden the mission concepts with additional 
cost, mass, volume, power, etc., right sizing them is markedly important for a correct and affordable design. Stacks 
of contingency pile-ups are to be strictly avoided. 

Clarity requires that the contingencies and margins applied be well-defined and easy to understand. Their 
application should not complicate the study flow by requiring excessive justification or negotiations with the 
customer. It is appropriate, even expected, that the 
results of concurrent studies are modified by the 
customer after leaving the labs; the design sessions 
themselves often uncover areas needing additional 
post study attention. If the definition of contingencies 
and margins that were implemented is clear, then it 
will be straight-forward for the customers to work 
with them during the post-study adjustments. 

B. Definition of Terms 

Dictionaries define “Contingency” as “a possible 
occurrence” , while “Margin” as “an amount beyond 
the necessary”. Fig. V-l. shows the relationships 
between the commonly used terms in this field. The 
most frequently used terms and acronyms, in 
accordance with standard A1AA SI 06 11-1 , are: 

MPV (Maximum Possible Value) 

MEV (Maximum Expected Value) 

MGA (Maximum Growth Allowance) a.k.a. 

“Contingency” 

CBE (Current Best Estimate) 



Figure V-l. Contingency and Margin Terminology 
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The relationships between the above terms are defined as: 

MGA (a.k.a. Contingency) = (MEV - CBE) / CBE expressed as a % 

Margin = (MPV - MEV) / MEV expressed as a % 

In common practice, there is much confusion as to which of the two terms on the right side of the above 
equations is to be placed in the denominator, the “bigger one”, or the “smaller one” (correctly it’s the smaller one, as 
shown, yielding more favorable numbers). 

Replacing the simplistic term “Contingency” with the two more specific terms “Growth Contingency” (i.e. 
(MEV - CBE) / CBE), and Resource Contingency (i.e. (MEV - CBE) / MEV) would preempt any such 
misunderstanding. Likewise, “Margin” could be replaced with the more specific terms “Growth Margin” (i.e. 
(MPV - MEV) / MEV), and “Resource Margin” (i.e. (MPV - MEV) / MPV). Lastly, to avoid a common cause of 
confusion, the term “Reserve”, should be avoided altogether, as it is ambiguous, confusing, and has been used as a 
misnomer for a variety of other terms. 

C. Design Based on CBE vs. MEV 

As stated above, a subsystem gets heavier because another subsystem got heavier; subsystem masses drive other 
subsystem masses. This implies with mathematic clarity that a design sized on MEV values is intrinsically different 
form a design that used CBE values, even if upon completion an overall MGA was added to the latter. The 
examples in Figures V-2. and V-3. clearly illustrate this point. 


Sizing with CBEs 


Telescope 
CBE: 1000 kg 



Figure V-2. Example of sizing using CBEs. The 
total System Mass is CBE 1960 kg. If the Telescope 
and the Electronics Box weigh in at MEV masses, 
then the Struts and the Optical bench are undersized! 


Sizing with MEVs 


Telescope 

CBE: 1000 kg Cont: 25% 

MEV 1250 kg 



CBE: 327 kg Cont: 10% sized for MEV of 1995 kg 

MEV 360 kg CBE: 512 kg Cont: 10% 

MEV 563 kg 

Figure V-3. Example of sizing using MEVs. The 
total System Mass is CBE 2189 kg, Composite 
Contingency 17%, MEV 2558 kg. Even if the 
Telescope and the Electronics Box weigh in at MEV 
masses, the Struts and the Optical bench are sized 
right. 


Take a hypothetical telescope with a mass of 1000 kg CBE (1250 kg MEV), and assume its supporting structure 
calls for struts that weigh 20% of the supported mass. The struts sized using the telescope’s CBE mass then weigh 
200 kg (CBE) (as shown in Fig. V-2.). A more realistic design (shown in Fig. V-3.) factors in the possible mass 
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growth of the telescope by sizing the supporting struts for the telescope’s MEV mass of 1250 kg. The same sizing 
rule (20% of the supported mass) now call for stronger struts weighing 250 kg (CBE). In the first design, the mass 
ratio of the struts (CBE) to the telescope (CBE) was 20%, but in the second that ratio is 25%. The struts based on 
CBE masses are undersized, those struts could break. Note, that the “CBE design’s” telescope-to-struts mass ratio 
will never equal that of the “MEV design”, not even after applying any overall system level MGA to it; the two 
designs are really not the same. 

Figures V-2. and V-3. clearly illustrate this point, and even take it one level further through the calculations for a 
moveable platform. At that additional level, the differences between the CBE based and MEV based designs become 
even more pronounced, the divergence becomes fairly significant. 

The “take home message” is that concurrent engineering should generally base its sizing calculations on MEV 
values. A design based on CBE’s may be wrong. 

D. Contingency Pile-up 

The consecutive allotment of a series of contingencies can have a significant effect on the overall system, as seen 
in the example in Figures V-2. and V-3. In the Fig. V-3. case, the serial allotment of MGAs was right, but there are 
many instances when contingency pile-ups are wrong, especially when the contingency pile-ups remain hidden 
because they cross subsystem or dimension boundaries. 

The realistic scenario below from a concurrent study illustrates the nature of hidden contingency pile-up: 

The RF Comm subsystem gets the CBE data rate from Science, and adds 30% contingency to it. 

With that, RF Comm selects a slightly oversized RF hardware to handle the MEV data rate. Of course, that 
RF Comm gear is bigger, heavier, and consumes more power, than a comparable hardware sized for CBE 
data rates would have been. 

RF Comm then sends the (higher) CBE power consumption of the (bigger) RF Comm hardware to the 
Electrical Power Subsystem (EPS). 

EPS adds its own 30% contingency to the power consumption of the already oversized box, and sizes a 
Power System that includes the contingent load of the RF Comm hardware. 

Then, EPS reports not the CBE but the MEV power dissipation of that (bigger) PSE box to Thermal. 

Thermal sizes a radiator for the MEV power dissipation, but in doing so, it adds temperature margins that 
call for an additionally oversized radiator. 

Mechanical then adds its own contingency the reported radiator mass when sizing the radiator’s supporting 
structures. 

Reaction wheels are then sized to handle that systems MEV inertia plus due GN&C contingency factored in, 
which makes the wheels even larger, consuming even more power (reported back to EPS, that adds 30% 
contingency to it...) 

... etc., etc. 

Looking back at the data rate as the starting point, it’s hard to see how many layers of contingencies were piled 
on. The bottom line is: concurrent design products are vulnerable to contingency pile-ups, especially so to hidden 
contingency pile-ups. 

The question arises: When is contingency pile-up right, when is it wrong? 

Contingency pile-up is right when the causes for the growth of resources over different sequential subsystems or 
domains are correlated, i.e. one growth drives the other. Consider this example: 

15%> contingency is added to the CBE mass of a box. As the box could actually grow to that MEV mass, its 
support structure should be sized for the MEV mass. The MEV based design of the support structure itself 
then yields a CBE mass for that structure. As that support stnicture itself could experience mass growth of 
its own, it is proper to add another contingency %> to its mass, and account for that MEV mass at the System 
level. 

In the above example, the supported mass obviously drove the size of the support structure, the two domains were 
clearly correlated, thus the consecutive allotment of superimposed contingencies was right. 

Contingency pile-up is wrong when the causes for resource growth in different sequential domains in the design 
are uncorrelated (i.e. one does not drive the other). Take this example: 

25% contingency is carried over the CBE mass of an avionics box. The CBE power consumption of the box is 
100W. It does not follow automatically that the Electrical Power Subsystem should size its gear factoring in 
an MEV power load of 125W (incl. 25% contingency) from that box. Why? Because the power consumption 
of an avionics box doesn ’t necessarily grow when its mass grows. Avionics mass growth can be triggered by 
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the need for more radiation shielding, or when the exact same electronics circuits don’t fit in the box as 
planned, and a larger housing is needed. Avionics’ mass MGA provides cushioning for such mass growth 
events, neither of which necessarily affects power consumption. This is not to say the Avionics box ’s power 
doesn ’t need contingency; it does. Just that the rationale for sizing that is independent of the rationale for 
sizing the mass MGA. 

In the above example, the two domains were orthogonal, uncorrelated; therefore the automatic consecutive 
superimposed allotment of contingencies would be wrong. MGAs applied to uncorrelated domains are subject to 
different rationales, and must be evaluated independently of each other. 

General rules are hard to define in this area, logical end-to-end thinking is required to determine the right 
approach to contingencies across uncorrelated domains. 

It is interesting to note that, conversely to contingency, margin doesn’t pile up! It is therefore preferable to have a 
lesser but realistic contingency with the balance carried as margin, than to have unrealistically high contingencies 
with a lesser margin. 

E. Contingency Size 

Too much contingency can stifle a mission while too little can break it. How much contingency is right? Several 
factors, such as mission class, risk posture, and system resiliency, affect the absolute magnitude of the contingencies 
and margins that are right for a particular project. 

The magnitude of contingencies and margins is a function of the mission class. More contingency is required for 
a Class A mission then for a Class D mission. 

Same goes for mission type. An interplanetary mission, where the launch vehicle’s throw mass is exploited to the 
last ounce, may opt for relatively narrower contingencies and margins, while a LEO mission with throw mass in 
relative abundance may be more cavalier. Tightening the contingencies and margins is usually compensated by 
meticulous planning and more aggressive resource management, occasionally coupled by unforgiving “no fly” rules 
for violators. 

An interesting approach in reducing the overall mission level contingencies and margins is enlisting the help of 
statistical averaging: pairing up subsystems begging for more resources with those having them in excess. On 
Cassini, a stock market-like resource exchange v " 5 was created to that effect, where payload contingencies could be 
traded according to free market principles. 

The magnitude of contingencies and margins is also function of the project’s risk posture: obviously less 
contingency means higher risk; risk of any kind: performance, technology, programmatic, financial, etc. 

F. System Resiliency 

The right size of the contingency required in each domain is also a strong function of the resiliency of system 
performance to the resource growth impacting that domain. 

In some cases, exceeding the MEV results in nothing more than a graceful degradation of performance. In such 
cases lesser contingency is acceptable. 

Slew and repointing performance in many missions exhibits graceful degradation characteristics. If due to 
mass growth the obsei-vatory’s inertia exceeds the maximum expected value for which the reaction wheels 
were sized, the consequence is a proportional increase in slew times, resulting in nothing more serious than 
a slight degradation of the mission ’s observing efficiency. 

In some other instances, exceeding the MEV causes unacceptable harm to the mission, and is to be avoided at all 
cost. Obviously, in such cases more generous contingencies are required. 

Mass growth often faces a hard breakpoint, the launch vehicle ’s throw mass capability to the desired orbit. If 
the mission ’s launch mass exceeds the throw mass capability then the target orbit can ’t be reached; the 
mission may be over before it began! 

In summary, less contingency is needed for phenomena or system performance that exhibits soft or graceful 
degradation, and more when a hard breakpoint is faced. 
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VI. IDC Contingency and Margin Guidelines 


This secion provides an itemized category by category disclosure of the contingency and margin guidelines in 
use in the IDC. 

A. Contingency and Margin Guidelines for Mass 

The IDC mass contingency policy complies with AIAA Standard S-120-2006e IM and with Goddard Technical 
Standard GSFC-STD- 
1000E 111 " 1 , the GSFC 
“GOLD Rules”. 

Mass MGA is applied 
as per Table VI- 1. The 
MGA %’s used for each 
item are a function of the 
item type (columns) and 
the item’s design 
maturity (rows). 

System level mass 
margin is to be applied 
above and beyond the 
itemized growth 

contingencies. The size 
of the system level 
margin is a function of 
the Project phase; for 
Pre-Phase-A concepts it 
is typically 30%. 

B. Contingency and Margin Guidelines for Electrical Power 

The guideline for sizing electrical power systems takes into consideration the complex factors that play into 
power system performance, at the same time it attempts to avoid prescribing excessive contingencies. 

The power system is to be sized such that under the worst case realistic load conditions present; under the worst 
case operational scenario; at EOM, and/or at any other worst case minimum power generation capability; the power 
delivered have a minimum of 30% contingency over the total CBE loads. Time permitting, sizing accuracy can be 
increased by compiling realistic load profiles as per the study’s defined mission operations modes. 

To avoid unrealistic contingency pile-ups, there is no “system level margin” applied on top of the contingency 
described above for power system sizing. 

The time base used for sizing the power system must be carefully established by considering realistic mission 
operations scenarios. For simple LEO orbits, the base time span used for sizing the power system is typically one 
whole orbit, comprising the energy balance over the sunlit and eclipsed portions. For fully sunlit cases, such as a 
drift away or libration orbit, the time span on which the sizing of the power system is based is determined 
predominantly by operational considerations that embrace nominal operational modes and also safe modes. 

At the completion of power system sizing, the discipline reports out the MEV mass and dimensions of the EPS 
components baselined. 

C. Contingency and Margin Guidelines for Structures, Mechanisms 

The mechanical / structural discipline sizes its entire design to MEV values (i.e. MEV mass, MEV dimensions, 
MEV inertias, etc.) for all of the structures, elements, components, boxes, parts, etc. accommodated by the design. 
The design thus obtained produces CBE values. Appropriate MGA %'s are then added to those CBE values (per the 
GOLD Rules Contingency Table), and the MEV values thus obtained are reported to Systems. 

Structural analysis, if performed, uses MEV values for calculation of loads and dynamic requirements. 
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Table VI-1. Mass MGA %’s. The MGA ’s to be applied as a function of each line 
item ’s technological maturity. 


TR1, 


Sub-system Design Maturity 1 Range 1 Contingency /Reserse (in percent)' 



Elccl 

rical Elect 

ronlc 

| 

I 

4*3 

y fc 

V y ? 

r 

£ 

Solar Array 

■5 > 

8 1 
£ £ 

§ 

i 

a 

3 

| 

i 

£ 

£ 1 

* a 

s 5 
1 I 
» | 

O-Skg 

5-/5 kg 

>15 kg 

Basic principles reported thru 
technology concept andor 

application formulated 

0 to 2 

30 

25 

20 

25 

30 

25 

30 

25 

25 

25 

55 

55 

Analytical /experimental proof of 
concept thru breadboard validation 

3 to 5 

25 

20 

IS 

15 

20 

15 

20 

20 

15 

15 

30 

30 

Sub-system, component prototype 
demo in an operational environment 

6 

20 

IS 

10 

10 

15 

10 

10 

15 

10 

10 

25 

25 

Sub-system engineering unit test in 
an oocnitional environment 

7 

10 

5 

5 

5 

6 

5 

5 

5 

5 

5 

10 

10 

Actual sub-system completed and 
flight qualified 

8 

3 

3 

3 

3 

3 

3 

3 

3 

3 

3 

5 

5 

Actual sub-system flight proven 
through successful mission 
oftcraUgna 

9 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 


I . Adapted from Table I . “Space Systems - Mass Properties Control for Space Systcins",S- 1 20* 2006c, AIAA. 

2 See the latest version of NPR 7 120.X Appendix J for NASA TRL definitions and classification schema. 

3. Contingency % 1 00% x Contingency (kgs) (Maximum Expected Valuc(kgs) - Contingency(kgs)) 

4. Propulsion sub-system dry mass only. 

5. I- or system margins, sec Table 1.06-1. 

6. Subsystems not identified as new technology developments can be evaluated as if they arc at TRL 6. 

7. Subsystems which arc fully qualified at the system level for the current mission, and have been weighed, can be evaluated as if they arc at 

TRL 9 


Moments of inertias are calculated from MEV masses, rather than calculated from CBE masses subsequently 
burdened with contingency, which may produce a false result. 

Torque margins are sized per GEVS v " 4 as follows: known torque factor of safety: 2.0; variable torque factor of 
safety: 4.0. These factors of safety apply to the MEV values of all mechanical functions, those driven by motors as 
well as springs, etc. at BOL, and include all flight drive electronics effects and limitations. 

The following factors of safety apply to MEV limit loads in accordance with GEVS v " 4 , to provide confidence 
that the hardware will not experience failure or detrimental permanent deformation under test, ground handling, 
launch, or operational conditions: 


Type 

Static 

Sine 

Random/Acoustic 

Metallic Yield 

1.25 

1.25 

1.6 

Metallic Ultimate 

1.4 

1.4 

1.8 

Stability Ultimate 

1.4 

1.4 

1.8 

Beryllium Yield 

1.4 

1.4 

1.8 

Beryllium Ultimate 

1.6 

1.6 

2.0 

Composite Ultimate 

1.5 

1.5 

1.9 

Bonded Inserts/Joints Ultimate 

1.5 

1.5 

1.9 


D. Contingency and Margin Guidelines for Thermal 

Thermal design is sized to provide a margin between the stacked worst-case flight predictions and component 
allowable flight temperature limits, both in normal operations and planned contingency modes, in accordance with 
GEVS v ' 4 and the applicable GSFC procedures and guidelines for thermal design. The thermal system is sized using 
MEV power dissipation values to hold a minimum of 10°C temperature margin in the radiator sizing calculation. 
(Note that the actual requirement in GOLD Rules is to have 5C of margin against operational limits.) No other 
contingency is included. 

As an example, holding a 10°C margin at a radiator temperature of 283°Kwould result in a radiator size 
margin of about 15%. 

3a values are used for uncertainties in coatings properties, solar constant, albedo, insulation properties, etc. (The 
10 degrees margin above is in addition to the padding provided by using 3a values.) 

Radiator sizing must factor in not only power dissipation, but also other contributing factors, such as 
temperature drop caused by the heat transport device (heat pipes, loop heat pipes, thermal straps, etc.), 
environmental flux absorbed, absorptance and emittance of thermal coating, orbital modeling (beta angle, sun angle, 
eclipse), back load from solar arrays, view factor to other instruments or spacecraft components, parasitic heat load 
(major factor for detectors passively cooled at cryogenic temperatures), etc. 

Survival heaters are to be sized to deliver the nominal CBE power at 70% duty cycle, which means that the 
heater circuit is capable of a 40% increase in power. 

E. Contingency and Margin Guidelines for Cryogenics 

100% contingency is applied to the cryogenic system’s heat lift capability (i.e. the actual cryogenic temperature 
CBE heat loads are doubled for sizing purposes). 

Note: The National Institute of Standards and Technology (NIST) considers the field of cryogenics as that 
involving temperatures below —180°C. 

F. Contingency and Margin Guidelines for Flight Dynamics 

Flight Dynamics and propellant calculations are more analytical and more predictable than the products of most 
other disciplines. The IDC margin policies reflect that. 

Flight Dynamics reports 3a delta-v’s values, based on: 

• 3a launch vehicle delta-v dispersion. 

• 2a solar cycle predicts. 
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Flight Dynamics generates two mission total CBE delta-v’s rackups: 

• One for the required mission life. 

• One for the “goal” mission life. 

The published 3c worst case CBE delta-v numbers don’t contain any contingency, except in rare exceptional 
cases where no reliable accurate delta-v calculations can be made. 

G. Contingency and Margin Guidelines for Propulsion 

Below is a tabulation of the main items defining propulsion system sizing, with an item by item listing of how 
all the contributors to that item’s sizing are to be factored in. 

Delta-v: Use 3o worst case CBE delta-v numbers as reported by Flight Dynamics, without any additional 
contingency. Size the propellants for the required mission life delta-v (not the “goal” mission life delta-v). 
Propelled mass: Calculate propellants using MEV masses. 

Specific impulse: Use realistic I sp ’s substantiated by component data sheets and burn modes. Factor in l sp , 
and “thrust vs. pressure” functions for blow-down systems. Use 2% to 5% margins on I sp , and thrust for 
heritage COTS units. When thruster data is unavailable, a conservative I sp is to be factored in, 10% below 
typical nominal values. 

Other factors: Add thruster cosine losses as applicable. For non-impulsive maneuvers, take into account the 
efficiency of long burn times and also thrust vector orientation. Considers worst case propellant loading 
temperatures and density variations. 

Non-thrust propellant use: Account for the MEV value of any other propellant use during the mission, such 
as reaction wheel offloads, propulsive slews, stray torque compensation, etc. 

“Propellant Taxes”: Add 5 % ACS Tax on all delta-v numbers. Add 3% to 5% for ullage and residuals on 
total propellant, dependent on manifold size, complexity, and tank expulsion efficiency. 

Tank sizing: Size tanks for a wet launch mass that equals the launch vehicle throw mass, with all the above 
considerations factored in. 

Sizing is to be verified by “bottoms up” calculations. When the sizing is complete, report the MEV masses and 
dimensions of the propulsion hardware to Systems. 

H. Contingency and Margin Guidelines for Attitude Control 

Below is a tabulation of the main items defining the sizing of the Attitude Control system, with an item by item 
listing of how all the contributors to that item’s sizing are to be taken into account. 

Mass properties: The ACS is sized to MEV mass properties. 

Actuators: Use MEV mass properties and MEV moments of inertia in sizing of the actuators (typically 
reaction wheels, magnetic torquers, and thrusters). 

Disturbances: Apply variable contingencies, typically 100% for environmental and stochastical disturbances. 
Torques: Apply 30 - 50% contingency on slew torques and momentum unloading torques. 

Performance modeling: Use 3o uncertainties in reaction wheel, thruster, torquer, etc. performance modeling, 
and then add a low contingency (5 to 10%), whose value depends on what the mission can bear and what’s 
the degradation posture (soft vs. hard). Factor in variable contingencies for slew times, as applicable. 
Knowledge and control requirements: Typically 40% contingency is applied to the knowledge and control 
requirements to provide padding for factors outside of the ACS (such as thermal distortion, instrument 
misalignments, instrument jitter, orbit error (for geolocation missions), etc. 

Controller Stability Margins: apply at least 6 dB for rigid body stability; 30 degrees phase margin; 12 dB 
gains margin. In practice, the high-level controller design specified in the MDL does not permit precise 
determination of these margins; instead ROM values are produced that satisfy this requirements. 

I. Contingency and Margin Guidelines for RF Communications 

Below is a tabulation of the main items defining the sizing of the RF Communications system, with an item by 
item listing of how all the contributors to that item’s sizing are to be taken into account. 

Data rates: Apply 30% contingency on CBE data rates. 

Components: All RF components sized to MEV values. 
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Communication links: Size to 3 dB margin, except for TDRSS links, where 0 dB margin is acceptable. 
Antenna coverage: Assume 90-99%, with the assumption clearly stated. 

Rain attenuation: Assume 90-99%, with the assumption clearly stated. 

J. Contingency and Margin Guidelines for Flight Software / IT 

On all flight software items, such as ROM and PROM sizes, CPU usage, various bus loading factors, timing 
margins, etc., always apply 50% contingency across the board, except as stated below: 

PCI Bus: 75% contingency required. 

1553 Bus: 30% contingency required. 

K. Contingency and Margin Guidelines for Radiation 

The Total Ionizing Dose (TID) values published by the Radiation discipline are typically MEV values in that 
they typically include a 2x Radiation Design Margin (RDM) (i.e. the contingency applied is 100%). The fact that 
the TID numbers include a “2x RDM” must be clearly noted. 

Component single event specification: no SEE 
may cause permanent damage to a system or 
subsystem. Electronic components shall be designed 
to be immune to SEE-induced performance 
anomalies or outages that require ground- 
intervention to correct. If a device is not immune to 
SEEs, analysis for SEE rates and effects must take 
place based on the linear energy transfer threshold 
(LETth) of the candidate devices as shown in Table 
VI-2. 


Table VI-2. Linear energy transfer thresholds. 

Environment to be assesses as shown. 


Device Threshold 

Environment to be Assessed 

LET th < 20 (MeV cm 2 )/mg 

GCR, trapped protons, SPE 

LE^ = 20-75 (MeVcm 2 )/mg 

GCR, SPE 

LET th > 75 (MeV cm 2 )/mg 

No analysis required 


L. Contingency and Margin Guidelines for Schedule 

The funded schedule reserves to be factored in the project schedule and cost calculations are: 

- 1 month per year in Phase C and Phase D1 (build). 

- 2 months per year in Phase D2 (observatory I&T). 

- 3 months per year in Phase D3 (launch site ops). 


VII. Conclusions 

This paper touched on a number of areas associated with the application of contingencies and margins during the 
formulation phases of space flight missions. 

Section II. presented a survey of resource management techniques and standards used across the aerospace 
industry. 

In Sections III. and IV., the impacts of various parameters on thermal margins were investigated, and the 
margins actually achieved in flight in several recently flown NASA Goddard Space Flight Center missions were 
compared against pre-flight predictions. As practically all components maintained excess margins at all times, the 
findings suggest that lesser margins could have been applied without adding significant risk to those missions. The 
ramifications of lesser contingencies and margins could be far reaching. While most missions flown by GSFC using 
the present conservative margin policies have been quite successful, the costs associated with designing highly 
robust spacecraft and instruments that far outlast their design life come at the expense of other potential missions. 
More expensive highly robust missions consume resources that could be alternately used to develop other potential 
missions. Ultimately, the choice is presented: more missions with higher risk or fewer missions with lower risk; i.e. 
how to best maximize the science return on the total dollars invested. 

Section V. examined the particular issues associated with the application of contingencies and margins in the 
concurrent engineering environment, and Section VI. provided a detailed disclosure of the contingency and margin 
policies in effect at the Integrated Design Center at NASA’s Goddard Space Flight Center. 
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